Fortinet black logo

CLI Reference

system replacemsg mail

system replacemsg mail

Use this command to change default replacement messages added to email messages when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected; or when spam filter blocks an email. By default, these are text messages with an 8-bit header.

config system replacemsg mail
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

mail message types

email-block

The antivirus File Filter is enabled for an email protocol deletes a file that matches an entry in the selected file filter list. The file is blocked and the email is replaced with the email-block message.

email-dlp-ban

In a DLP sensor, a rule with action set to Ban replaces a blocked email message with this message. This message also replaces any additional email messages that the banned user sends until they are removed from the banned user list.

email-dl-ban-sender

In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email message with this message. The email-dlp-ban message also replaces any additional email messages that the banned user sends until the user is removed from the banned user list.

email-dlp-subject

The email-dlp-subject message is added to the subject field of all email messages replaced by the DLP sensor Block, Ban, Ban Sender, Quarantine IP address, and Quarantine interface actions.

email-filesize

When the antivirus Oversized File/Email is set to Block for an email protocol removes an oversized file from an email message, the file is replaced with the email-filesize message.

partial

Antivirus Pass Fragmented Emails is not enabled so a fragmented email is blocked. The partial message replaces the first fragment of the fragmented email.

smtp-block

Splice mode is enabled and the antivirus file filter deleted a file from an SMTP email message. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes the smtp-block replacement message.

smtp-filesize

Splice mode is enabled and antivirus Oversized File/Email is set to Block. When the FortiGate unit blocks an oversize SMTP email message, the FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes the smtpfilesize replacement message.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.

%%QUARFILENAME%%

The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages.

%%PROTOCOL%%

The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%%

IP address of the email server that sent the email containing the virus.

%%DEST_IP%%

IP address of the user’s computer that attempted to download the message from which the file was removed.

%%EMAIL_FROM%%

The email address of the sender of the message from which the file was removed.

%%EMAIL_TO%%

The email address of the intended receiver of the message from which the file was removed.

system replacemsg mail

Use this command to change default replacement messages added to email messages when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected; or when spam filter blocks an email. By default, these are text messages with an 8-bit header.

config system replacemsg mail
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

mail message types

email-block

The antivirus File Filter is enabled for an email protocol deletes a file that matches an entry in the selected file filter list. The file is blocked and the email is replaced with the email-block message.

email-dlp-ban

In a DLP sensor, a rule with action set to Ban replaces a blocked email message with this message. This message also replaces any additional email messages that the banned user sends until they are removed from the banned user list.

email-dl-ban-sender

In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email message with this message. The email-dlp-ban message also replaces any additional email messages that the banned user sends until the user is removed from the banned user list.

email-dlp-subject

The email-dlp-subject message is added to the subject field of all email messages replaced by the DLP sensor Block, Ban, Ban Sender, Quarantine IP address, and Quarantine interface actions.

email-filesize

When the antivirus Oversized File/Email is set to Block for an email protocol removes an oversized file from an email message, the file is replaced with the email-filesize message.

partial

Antivirus Pass Fragmented Emails is not enabled so a fragmented email is blocked. The partial message replaces the first fragment of the fragmented email.

smtp-block

Splice mode is enabled and the antivirus file filter deleted a file from an SMTP email message. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes the smtp-block replacement message.

smtp-filesize

Splice mode is enabled and antivirus Oversized File/Email is set to Block. When the FortiGate unit blocks an oversize SMTP email message, the FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes the smtpfilesize replacement message.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.

%%QUARFILENAME%%

The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages.

%%PROTOCOL%%

The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%%

IP address of the email server that sent the email containing the virus.

%%DEST_IP%%

IP address of the user’s computer that attempted to download the message from which the file was removed.

%%EMAIL_FROM%%

The email address of the sender of the message from which the file was removed.

%%EMAIL_TO%%

The email address of the intended receiver of the message from which the file was removed.